Would you like to be a ShoeMoney Contributing Writer?

How To Profit From Invading Your Users Privacy

*Important Notice* Please consult with laws in your area before acting on anything in this post. Even though many sites are doing some of the methods I describe it does not mean its legal. Consult your legal council.

What if I told you that just by visiting my website I am able to know everything about you. What sites you have been to, your name, your wife’s name, your phone number, your household income, and much more.

Here is how it works

Within your web browser (internet explorer, chrome, firefox, etc.) one of the things it checks is for links that the site is linking to. This is a “feature” for the user so they are able to tell if they had been to the site before. By default, links that you have not visited are underlined blue and links that you have visited are a violet color.

Websites can override these defaults using cascading style sheets (CSS) to make links a certain color or even replace the text all together to load images for the links or more importantly visited links. Now I can also set each visited link to a particular image.

So, lets say you come to my site and have visited apple.com. I could load apple.com as the image for that link if you had visited the site. But that is not very practical.

What would be practical (and profitable) is to set links for the top 10000 retail sites in the world in a 1 pixel frame that the user would never see. While the user would not see it… the website owner would and then could load advertisements based on what sites you have previously visited.

This actually exposes a MUCH bigger problem though. If you can load a image based on where a person has been then whats stopping me from dropping an eBay affiliate cookie if you have been to eBay? An apple cookie if you been to apple.com? An Amazon cookie, if I know you shop at Amazon?

Dropping these cookies via an image would pay me every time you continue to shop at these sites you already shop at. Plus it would be a nightmare for affiliate programs because unlike most cookie stuffing. Your click through to conversion would be in line (maybe even more inline) then blind cookieing the entire world and easily getting busted.

Now before you run off and do this people are not only getting kicked out from affiliate programs for stuffing cookies, but some are actually being charged with “wire fraud” by the FBI.

It doesn’t really matter anyway though because about year ago web browsers started blocking the ability to load images from visited active links.

So can you still see where all your users have been? Yes- but it takes a little more technical ability.

Through Javascript you can check to see if your visitors have visited. All you have to do is set your visited links to an arbitrary color and then simply query the browser to see which links match the color you had chosen.

Lets say we don’t even use css and leave the visited link as the default color.

This would loop through a predefined set of specified websites and then check to see what color your web browser is displaying them as. If you have visited them then I know.

Now you might think that it takes a while to check all these sites to see if you have visited before? It really is a client side thing so it varies but, in my tests I was able to load 10,000 sites in less than 5 seconds.

The scary thing is you could mix some ajax in with this and load a image that would still stuff cookies or maybe even an iframe.

Now the above is obviously just proof of a concept code. You would want to log the data to some sort of database.

What if I told you I was doing this to people on my sites… not stuffing but just tracking them. Tracking their ip with all the sites they visit. You would say I am pretty shady right?

Big sites are doing it right now

A report done 7 months ago by the University of California, San Diego scanned more than 50,000 of the top Alexa ranked sites and here are some of the big names that were using javascript to detect what sites you have been to:

Maybe you recognize some of them? A lot of them have since removed the code. Read the full report for more details. It also has the exact code the sites were using (a lot better than my example above).

But what is the data probably used for?

What the report found was that out of the over 400 sites that were getting your history 90% of them were sniffing for eBay. Why? Was eBay buying data on who visits there site and where they go?

The most practical application for this is for the website owner to sell the data (that would include your ip address and all the major retail outlets you visit) to advertising companies like Double Click. They could then target them throughout their entire network.

Enough about history what else can we find out?

Lets take it a bit further. If you were to comment or use any service on a site they could take that email and run it against Facebook’s tools. Being that 70% of people on the internet have a Facebook account and Facebook has your account “open” by default I can lookup all the information on your Facebook account that is publicly accessible. By default this includes your phone number, your interests, all your friends, your location, where you work and tons of other stuff.

I could then add this to my arsenal of data that I have on you to sell you products (or sell the data to a company who does so).

Lets take that another step further. There are services out there that aggregate data from many sources and can lookup people’s information from a phone number or email.

So now I can take your email (which came from my site) or for more accuracy your phone number (which I just got from Facebook) and I can use that data with the tools provided by data services like amplemedia. Within seconds it will return your home address, how many kids you have, your household income, and possibly your credit history and other data.

So just by visiting my site and making a comment I now know your name, your email, your phone number, all your friends (and possibly all their phone numbers), your household income, and on a basic level all of the websites you have visited.

Do you think this would help me find the right kind of shit to sell you?

Wyatt

Jaheem

Clare

Wow, it’s incredible to think that you can grab all that with a visit to a site. What isn’t incredible is that there are major sites doing it. Spam used to be the big no-no. I worked for a company in 2002 that sent out 3 billion (permission-based) spam per month. Spam is NOTHING in comparison to this. This is why I left the USA… when my cell phone company (ATT) wanted me to verify my brother and sister’s names before they turned my cell phone account back on! Nuts… the companies of the world have gone nuts and there is no government – or anybody to protect them.

I am more scared of what Facebook is doing right now with user info than all this. While this will take a certain degree of knowledge and work, users give facebook all their information when signing up!

Scary, we all understand nothing on the internet is private and versions of following visitors around is nothing new. Automatic way to get this post on facebook! I don’t want my friends and family to be out in the dark!

Hi, I am really happy I’ve found this information. Nowadays bloggers publish just about gossip and internet stuff and this is actually irritating. A good site with exciting content, that’s what I need. Thanks for making this website, and I will be visiting again.

We have been writing articles on computer security in our post. this is great stuff that I plan to recap and link back to this article in the near future. People are not aware of how vunerable they are on the internet – Big Brother is watching!

We have been writing articles on computer security in our post. this is great stuff that I plan to recap and link back to this article in the near future. People are not aware of how vunerable they are on the internet – Big Brother is watching!

Wow. Scary stuff. Nothing is private anymore, is it? Hope more is done over the next few years to help with this. But unfortunately, someone will just find a way to circumvent it.

September 20, 2011

Javier

Most people here is talking about how scary this is. But I’m wondering how can we put this information in good use to improve our users experience or maybe target them with an offer that might be compelling for them. Any suggestions?

I always wondered how quancast.com gathered all the information from sites, such as similar sites theusers visited and demography of the users (including income, education level and other data). Maybe they’re using this technique.

April 18, 2012

Javier

Most people here is talking about how scary this is. But I’m wondering how can we put this information in good use. Maybe we can improve our user experience, or show them a more compelling offer? Do you have any ideas on how to take advantage of knowing which sites visited our users?